Fix various memory leaks reported by Coverity

Covscan report contains various memory leak defects which were marked as important. I have spent some time analyzing them and although they were marked as important, most of them are in error cases, so probably nothing serious. Let's fix most of them anyway. The rest are false positives, or too complicated to fix, or already fixed in master, or simply I am unsure about them. Relates: https://github.com/FreeRDP/FreeRDP/issues/6981
2021-04-27 10:04:47 +02:00 · 2021-04-27 10:04:47 +02:00 · 892cbe3261
commit 892cbe3261
parent ac25baa5ee
17 changed files with 48 additions and 6 deletions
--- a/channels/printer/client/printer_main.c
+++ b/channels/printer/client/printer_main.c
@ -109,7 +109,10 @@ static BOOL printer_write_setting(const char* path, prn_conf_t type, const void*
 	char* abs = GetCombinedPath(path, name);

 	if (!abs || (length > INT32_MAX))
+	{
+		free(abs);
 		return FALSE;
+	}

 	file = CreateFileA(abs, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
 	free(abs);
--- a/channels/rdp2tcp/client/rdp2tcp_main.c
+++ b/channels/rdp2tcp/client/rdp2tcp_main.c
@ -327,7 +327,10 @@ BOOL VCAPITYPE VirtualChannelEntryEx(PCHANNEL_ENTRY_POINTS pEntryPoints, PVOID p
 	plugin->channelEntryPoints = *pEntryPointsEx;

 	if (init_external_addin(plugin) < 0)
+	{
+		free(plugin);
 		return FALSE;
+	}

 	strncpy(channelDef.name, RDP2TCP_CHAN_NAME, sizeof(channelDef.name));
 	channelDef.options =
--- a/channels/smartcard/client/smartcard_main.c
+++ b/channels/smartcard/client/smartcard_main.c
@ -477,6 +477,7 @@ static UINT smartcard_process_irp(SMARTCARD_DEVICE* smartcard, IRP* irp)
 		{
 			if ((status = smartcard_irp_device_control_call(smartcard, operation)))
 			{
+				free(operation);
 				WLog_ERR(TAG, "smartcard_irp_device_control_call failed with error %" PRId32 "!",
 				         status);
 				return (UINT32)status;
--- a/channels/smartcard/client/smartcard_operations.c
+++ b/channels/smartcard/client/smartcard_operations.c
@ -516,7 +516,10 @@ static DWORD filter_device_by_name_w(wLinkedList* list, LPWSTR* mszReaders, DWOR

 	/* When res==0, readers may have been set to NULL by ConvertFromUnicode */
 	if ((res < 0) || ((DWORD)res != cchReaders) || (readers == 0))
+	{
+		free(readers);
 		return 0;
+	}

 	free(*mszReaders);
 	*mszReaders = NULL;
--- a/channels/smartcard/client/smartcard_pack.c
+++ b/channels/smartcard/client/smartcard_pack.c
@ -406,7 +406,9 @@ static char* smartcard_msz_dump_w(const WCHAR* msz, size_t len, char* buffer, si
 {
 	char* sz = NULL;
 	ConvertFromUnicode(CP_UTF8, 0, msz, (int)len, &sz, 0, NULL, NULL);
-	return smartcard_msz_dump_a(sz, len, buffer, bufferLen);
+	smartcard_msz_dump_a(sz, len, buffer, bufferLen);
+	free(sz);
+	return buffer;
 }

 static char* smartcard_array_dump(const void* pd, size_t len, char* buffer, size_t bufferLen)
--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
@ -552,7 +552,10 @@ static UINT urb_select_interface(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callba
 	MsInterface = msusb_msinterface_read(s);

 	if ((Stream_GetRemainingLength(s) < 4) || !MsInterface)
+	{
+		msusb_msinterface_free(MsInterface);
 		return ERROR_INVALID_DATA;
+	}

 	Stream_Read_UINT32(s, OutputBufferSize);
 	pdev->select_interface(pdev, MsInterface->InterfaceNumber, MsInterface->AlternateSetting);
--- a/channels/urbdrc/common/msusb.c
+++ b/channels/urbdrc/common/msusb.c
@ -108,7 +108,7 @@ static MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_new()
 	return (MSUSB_INTERFACE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_INTERFACE_DESCRIPTOR));
 }

-static void msusb_msinterface_free(MSUSB_INTERFACE_DESCRIPTOR* MsInterface)
+void msusb_msinterface_free(MSUSB_INTERFACE_DESCRIPTOR* MsInterface)
 {
 	if (MsInterface)
 	{
--- a/channels/urbdrc/common/msusb.h
+++ b/channels/urbdrc/common/msusb.h
@ -82,6 +82,7 @@ extern "C"
 	                                           MSUSB_INTERFACE_DESCRIPTOR* NewMsInterface);
 	FREERDP_API MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_read(wStream* out);
 	FREERDP_API BOOL msusb_msinterface_write(MSUSB_INTERFACE_DESCRIPTOR* MsInterface, wStream* out);
+	FREERDP_API void msusb_msinterface_free(MSUSB_INTERFACE_DESCRIPTOR* MsInterface);

 	/* MSUSB_CONFIG exported functions */
 	FREERDP_API MSUSB_CONFIG_DESCRIPTOR* msusb_msconfig_new(void);
--- a/client/Wayland/wlf_cliprdr.c
+++ b/client/Wayland/wlf_cliprdr.c
@ -649,7 +649,10 @@ wlf_cliprdr_server_format_data_request(CliprdrClientContext* context,
 	}

 	if (rc != CHANNEL_RC_OK)
+	{
+		free(data);
 		return rc;
+	}

 	rc = wlf_cliprdr_send_data_response(clipboard, data, size);
 	free(data);
--- a/client/X11/xf_window.c
+++ b/client/X11/xf_window.c
@ -1119,7 +1119,10 @@ xfAppWindow* xf_AppWindowFromX11Window(xfContext* xfc, Window wnd)
 		appWindow = xf_rail_get_window(xfc, *(UINT64*)pKeys[index]);

 		if (!appWindow)
+		{
+			free(pKeys);
 			return NULL;
+		}

 		if (appWindow->handle == wnd)
 		{
--- a/libfreerdp/common/assistance.c
+++ b/libfreerdp/common/assistance.c
@ -400,7 +400,7 @@ static BOOL freerdp_assistance_parse_connection_string2(rdpAssistanceFile* file)
 		{
 			WLog_ERR(TAG, "Failed to parse ASSISTANCE file: ConnectionString2 invalid field "
 			              "order for ID");
-			return -1;
+			goto out_fail;
 		}
 		length = q - p;
 		free(file->RASessionId);
--- a/libfreerdp/core/gateway/ncacn_http.c
+++ b/libfreerdp/core/gateway/ncacn_http.c
@ -121,6 +121,7 @@ BOOL rpc_ncacn_http_recv_in_channel_response(RpcChannel* inChannel, HttpResponse
 	if (ntlmTokenData && ntlmTokenLength)
 		return ntlm_client_set_input_buffer(ntlm, FALSE, ntlmTokenData, ntlmTokenLength);

+	free(ntlmTokenData);
 	return TRUE;
 }

@ -274,5 +275,6 @@ BOOL rpc_ncacn_http_recv_out_channel_response(RpcChannel* outChannel, HttpRespon
 	if (ntlmTokenData && ntlmTokenLength)
 		return ntlm_client_set_input_buffer(ntlm, FALSE, ntlmTokenData, ntlmTokenLength);

+	free(ntlmTokenData);
 	return TRUE;
 }
--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
@ -350,7 +350,10 @@ static BOOL rdg_write_chunked(BIO* bio, wStream* sPacket)
 	len = Stream_Length(sChunk);

 	if (len > INT_MAX)
+	{
+		Stream_Free(sChunk, TRUE);
 		return FALSE;
+	}

 	status = BIO_write(bio, Stream_Buffer(sChunk), (int)len);
 	Stream_Free(sChunk, TRUE);
@ -2060,7 +2063,10 @@ static int rdg_write_chunked_data_packet(rdpRdg* rdg, const BYTE* buf, int isize
 	len = Stream_Length(sChunk);

 	if (len > INT_MAX)
+	{
+		Stream_Free(sChunk, TRUE);
 		return -1;
+	}

 	status = tls_write_all(rdg->tlsIn, Stream_Buffer(sChunk), (int)len);
 	Stream_Free(sChunk, TRUE);
--- a/libfreerdp/core/gateway/rpc_client.c
+++ b/libfreerdp/core/gateway/rpc_client.c
@ -692,7 +692,7 @@ static int rpc_client_nondefault_out_channel_recv(rdpRpc* rpc)
 				WLog_ERR(TAG,
 				         "rpc_client_nondefault_out_channel_recv: Unexpected message %08" PRIx32,
 				         nextOutChannel->State);
-				return -1;
+				status = -1;
 		}

 		http_response_free(response);
--- a/libfreerdp/core/info.c
+++ b/libfreerdp/core/info.c
@ -719,7 +719,7 @@ static BOOL rdp_write_info_packet(rdpRdp* rdp, wStream* s)
 			} ptrconv;

 			if (settings->RedirectionPasswordLength > UINT16_MAX)
-				return FALSE;
+				goto fail;
 			usedPasswordCookie = TRUE;

 			ptrconv.bp = settings->RedirectionPassword;
--- a/rdtk/librdtk/rdtk_nine_patch.c
+++ b/rdtk/librdtk/rdtk_nine_patch.c
@ -394,6 +394,8 @@ int rdtk_nine_patch_engine_init(rdtkEngine* engine)
 			else
 				winpr_image_free(image, TRUE);
 		}
+		else
+			winpr_image_free(image, TRUE);
 	}

 	if (!engine->textField9patch)
@ -402,6 +404,7 @@ int rdtk_nine_patch_engine_init(rdtkEngine* engine)
 		BYTE* data;
 		status = -1;
 		size = rdtk_get_embedded_resource_file("textfield_default.9.png", &data);
+		image = NULL;

 		if (size > 0)
 		{
@ -420,6 +423,8 @@ int rdtk_nine_patch_engine_init(rdtkEngine* engine)
 			else
 				winpr_image_free(image, TRUE);
 		}
+		else
+			winpr_image_free(image, TRUE);
 	}

 	return 1;
--- a/winpr/tools/makecert/makecert.c
+++ b/winpr/tools/makecert/makecert.c
@ -81,9 +81,16 @@ static char* makecert_read_str(BIO* bio, size_t* pOffset)
 		new_len = length * 2;
 		if (new_len == 0)
 			new_len = 2048;
+
+		if (new_len > INT_MAX)
+		{
+			status = -1;
+			break;
+		}
+
 		new_str = (char*)realloc(x509_str, new_len);

-		if (!new_str || (new_len > INT_MAX))
+		if (!new_str)
 		{
 			status = -1;
 			break;